Country/Region

S12500 Switch and SR88 Cannot Establish Ospf Neighbors

2020-03-23 17:00:16 Published
  • 0 Followed
  • 0Collected ,2484Browsed
Gongxunjie

Network Topology

S12500----SR88

Problem Description

The S125 and the peer routers are interconnected. When the device is running, the ospf neighbor is disconnected and remains in the ExStart state.  

Process Analysis

Debug information shows that the switch did not receive the ospf dd packet from the peer end, but the traffic on the switch side can count the DD packet, indicating that the DD packet was not sent to the platform for processing, so it must go from the device port to the platform. Go ahead.

As follows, all received are multicast addresses without unicast DD packets.  

*Dec 29 11:54:01:149 2018 C02-N1/C01-N2-H3C-S12508-1 RM/6/RMDEBUG:OSPF 100: RECV Packet.

*Dec 29 11:54:01:149 2018 C02-N1/C01-N2-H3C-S12508-1 RM/6/RMDEBUG:Source Address: 66.xx.xx.131

*Dec 29 11:54:01:149 2018 C02-N1/C01-N2-H3C-S12508-1 RM/6/RMDEBUG:Destination Address: 2xx.0.0.5

*Dec 29 11:54:01:149 2018 C02-N1/C01-N2-H3C-S12508-1 RM/6/RMDEBUG:Ver# 2, Type: 1, Length: 52.

*Dec 29 11:54:01:150 2018 C02-N1/C01-N2-H3C-S12508-1 RM/6/RMDEBUG:Router: 66.xx.xx.4, Area: 0.0.0.0, Checksum: 50852.

*Dec 29 11:54:01:150 2018 C02-N1/C01-N2-H3C-S12508-1 RM/6/RMDEBUG:AuType: 00, Key(ascii): 0 0 0 0 0 0 0 0.

*Dec 29 11:54:01:150 2018 C02-N1/C01-N2-H3C-S12508-1 RM/6/RMDEBUG:Net Mask: 2xx.xx.xx.128, Hello Int: 10, Option: _E_.

*Dec 29 11:54:01:151 2018 C02-N1/C01-N2-H3C-S12508-1 RM/6/RMDEBUG:Rtr Priority: 1, Dead Int: 40, DR: 66.xx.xx.131, BDR: 66.xx.xx.130.

*Dec 29 11:54:01:151 2018 C02-N1/C01-N2-H3C-S12508-1 RM/6/RMDEBUG:Attached Neighbor: 66.xx.xx.1.

*Dec 29 11:54:01:151 2018 C02-N1/C01-N2-H3C-S12508-1 RM/6/RMDEBUG:Attached Neighbor: 66.xx.xx.3.

First check the configuration under the port and find that there is packet filtering under the VLAN virtual interface 


interface Vlan-interface200

ip binding vpn-instance guanli

ip address 66.xx.xx.129 255.255.255.128

 packet-filter 3003 inbound 


Check the acl 3003. It was found that the acl did not pass the ospf packet. The site added a rule 0 permit ospf to the acl.
However, before the scene was running normally, a problem suddenly occurred. Why did this happen?
The ospf unicast packet is the same as the ordinary destination IP packet. It is sent to the CPU by looking up the table instead of acl. 

 ========

Acl-Type RX IPv4 Middle High, Stage IFP, Global, Installed, Active

Prio Mjr/Sub 523/19, Group 2 [2], Slice/Idx 2/29, Entry 825, Double: 1053/1565

Rule Match --------

        Ports: 0x0bfffffe; 0xffffffff

        Lookup: VLAN ID valid[y], STP forwarding, 0x1c, 0x1c

        Dest IP: 2xx.xx.xx.6, 255.255.255.255

        IP protocol: ospf

        Vlan Class id: 0x0    Mask: 0x20

Actions --------

        CAR cir 0x400, cbs 0x800, pir 0x400, pbs 0x800, mode srTCM color blind

        Account mode  packets,  green and non-green

        Copy_to_cpu : Yes

        Change CPU pkt COS 30

        Permit

        Red Deny

        Red_Copy_to_cpu : No

        Yel Deny

        Yel_Copy_to_cpu : No

MatchedName:12, IPV4_MC_OSPF_6

Accounting: Hi 0, LO 0

========

Acl-Type RX IPv4 Middle High, Stage IFP, Global, Installed, Active

Prio Mjr/Sub 523/19, Group 2 [2], Slice/Idx 2/30, Entry 826, Double: 1054/1566

Rule Match --------

        Ports: 0x0bfffffe; 0xffffffff

        Lookup: VLAN ID valid[y], STP forwarding, 0x1c, 0x1c

        Dest IP: 2xx.xx.xx.5, 255.255.255.255

        IP protocol: ospf

        Vlan Class id: 0x0    Mask: 0x20

Actions --------

        CAR cir 0x400, cbs 0x800, pir 0x400, pbs 0x800, mode srTCM color blind

        Account mode  packets,  green and non-green

        Copy_to_cpu : Yes

        Change CPU pkt COS 30

        Permit

        Red Deny

        Red_Copy_to_cpu : No

        Yel Deny

        Yel_Copy_to_cpu : No

MatchedName:11, IPV4_MC_OSPF_5

Accounting: Hi 0, LO 0

========


Then check the priority to find that 2xx.xx.xx.5/6 has higher priority than packet filtering, so the two sides of the configuration can exchange hello packets, but subsequent unicast packets are filtered out. 

 97    PktFilter IP on PORT               FALSE       8         28

9     RX IPv4 Middle High               TRUE       11        19

 Checking the equipment found that the main engine was restarted before the failure. According to the on-site phenomenon, it should be:


1. No packet filtering is configured when the neighbor is established, so the neighbor can be established normally  
2. Then added packet filtering. At this time, after the ospf neighbor is successfully established, it will only exchange hello packets and update packets, both of which are 2xx.xx.xx.5/6.  
3. After the active / standby switchover, the OSPF neighbors are re-established, and unicast packets are filtered.


Solution

Add rule 0 permit ospf to the acl

The current implementation of the S12500 is the same. Other products such as the S6800 are CPUs that send unicast ospf packets through acl.  

Please rate this case:   
0 Comments

No Comments

Add Comments:

Copyright© 2025 H3C reserves all rights to the current version NO.1

The copyright of this icon belongs to H3C. It is only for the use of this community. Do not use it for commercial purposes. Anyone who violates this icon will be prosecuted